https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254632#M834828 <HTML><HEAD></HEAD><BODY><P></P><P>Can you also post he output for these commands</P><P></P><P>show crypto isakmp sa</P><P>show crypto ipsec sa</P></BODY></HTML> Thu, 11 Jun 2009 14:24:53 GMT srikantganesh 2009-06-11T14:24:53Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254625#M834818 <P>Hi, I have three policies (see below)which make up a crypto map policy on a security device. </P><P>How does policy 10 match traffic if there is no "match address" statement? This is the peer I wish to edit but don't know how it is matching? Is there a default addressing match assumed?</P><P>!</P><P>crypto map MYCRYPTO_MAP 10 set peer 100.200.300.1</P><P>crypto map MYCRYPTO_MAP 10 set transform-set MY_TS_SET</P><P>!</P><P>crypto map MYCRYPTO_MAP 20 match address POLICY_ACL1</P><P>crypto map MYCRYPTO_MAP 20 set peer 100.200.300.50</P><P>crypto map MYCRYPTO_MAP 20 set transform-set MY_TS_SET</P><P>!</P><P>crypto map MYCRYPTO_MAP 30 match address POLICY_ACL2</P><P>crypto map MYCRYPTO_MAP 30 set peer 100.200.300.100</P><P>crypto map MYCRYPTO_MAP 30 set transform-set MY_TS_SET2</P><P>!</P><P></P><P>Many thanks,</P><P></P><P>Gerry</P> Mon, 11 Mar 2019 15:42:04 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254625#M834818 crazyhorse29 2019-03-11T15:42:04Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254626#M834821 <HTML><HEAD></HEAD><BODY><P>A match address will be needed to specify interesting traffic.</P><P>Check if the VPN is even up.</P><P></P><P>Show crypto isakmp sa</P><P></P><P>Is it possible to test the VPN if it is not up?</P></BODY></HTML> Thu, 11 Jun 2009 13:53:26 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254626#M834821 srikantganesh 2009-06-11T13:53:26Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254627#M834823 <HTML><HEAD></HEAD><BODY><P>how is the other side configured? as a dynamic map?</P></BODY></HTML> Thu, 11 Jun 2009 13:54:11 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254627#M834823 srue 2009-06-11T13:54:11Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254628#M834824 <HTML><HEAD></HEAD><BODY><P>Thanks Srikant,</P><P></P><P>The VPN is deinately up.</P><P></P><P>Best Regards,</P><P></P><P>Gerard</P></BODY></HTML> Thu, 11 Jun 2009 14:11:18 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254628#M834824 crazyhorse29 2009-06-11T14:11:18Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254629#M834825 <HTML><HEAD></HEAD><BODY><P>under tunnel group for this vpn or the group policy is there any specific acl settings.</P><P></P><P>Can you post the tunnel group, group policy and crypto config for this vpn?</P><P></P><P></P></BODY></HTML> Thu, 11 Jun 2009 14:14:34 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254629#M834825 srikantganesh 2009-06-11T14:14:34Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254630#M834826 <HTML><HEAD></HEAD><BODY><P>Thanks Steven,</P><P></P><P>The other end is checkpoint firewall with both subnets A&lt;--&gt;B allowed in both directions to form the tunnel.</P><P></P><P>Best Regards,</P><P></P><P>Gerry</P></BODY></HTML> Thu, 11 Jun 2009 14:15:47 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254630#M834826 crazyhorse29 2009-06-11T14:15:47Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254631#M834827 <HTML><HEAD></HEAD><BODY><P>Hi Srikant,</P><P></P><P>No ACL settings...that is why I was wondering how the traffic is being matched? Is there a default setting?</P><P></P><P>Tunnel config below.</P><P></P><P>tunnel-group 100.200.300.1 type ipsec-l2l</P><P>tunnel-group 100.200.300.1 general-attributes</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P>tunnel-group 100.200.300.1 ipsec-attributes</P><P> pre-shared-key *</P><P> peer-id-validate req</P><P> no chain</P><P> no trust-point</P><P> isakmp keepalive threshold 10 retry 2</P><P></P><P>Thanks</P><P></P><P>Gerard</P></BODY></HTML> Thu, 11 Jun 2009 14:23:16 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254631#M834827 crazyhorse29 2009-06-11T14:23:16Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254632#M834828 <HTML><HEAD></HEAD><BODY><P></P><P>Can you also post he output for these commands</P><P></P><P>show crypto isakmp sa</P><P>show crypto ipsec sa</P></BODY></HTML> Thu, 11 Jun 2009 14:24:53 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254632#M834828 srikantganesh 2009-06-11T14:24:53Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254633#M834829 <HTML><HEAD></HEAD><BODY><P>show crypto isakmp sa</P><P></P><P>4 IKE Peer: 100.200.300.1 </P><P> Type : L2L Role : responder </P><P> Rekey : no State : MM_ACTIVE </P><P></P><P>-----------</P><P></P><P>FW# show vpn-sessiondb detail l2l filter ipaddress 100.200.300.1</P><P></P><P>Session Type: LAN-to-LAN Detailed</P><P></P><P>Connection : 100.200.300.1</P><P>Index : 1 IP Addr : 100.200.300.1</P><P>Protocol : IPSecLAN2LAN Encryption : 3DES</P><P>Hashing : SHA1 </P><P>Bytes Tx : 996874716 Bytes Rx : 622313494</P><P>Login Time : 10:40:07 UTC Thu Jun 11 2009</P><P>Duration : 4h:33m:13s</P><P>Filter Name : </P><P></P><P>IKE Sessions: 1</P><P>IPSec Sessions: 2</P><P></P><P></P><P>IKE:</P><P> Session ID : 1</P><P> UDP Src Port : 500 UDP Dst Port : 500</P><P> IKE Neg Mode : Main Auth Mode : preSharedKeys</P><P> Encryption : AES256 Hashing : SHA1</P><P> Rekey Int (T): 86400 Seconds Rekey Left(T): 70008 Seconds</P><P> D/H Group : 2</P><P></P></BODY></HTML> Thu, 11 Jun 2009 14:29:10 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254633#M834829 crazyhorse29 2009-06-11T14:29:10Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254634#M834832 <HTML><HEAD></HEAD><BODY><P>try show ipsec sa peer 100.200.300.1</P><P>This should include the traffic it is encrypting/decrypting for this VPN</P></BODY></HTML> Thu, 11 Jun 2009 14:33:34 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254634#M834832 srikantganesh 2009-06-11T14:33:34Z https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254635#M834833 <HTML><HEAD></HEAD><BODY><P>Thanks Srikant,</P><P></P><P>There appears to be a local and remote subnet listed for source and desintation but I cannot find where this is defined?</P><P></P><P>This is the point of my posting as I cannot locate where it is reading this information.</P><P></P><P>Kind Regards,</P><P></P><P>Gerard</P></BODY></HTML> Thu, 11 Jun 2009 14:37:32 GMT https://community.cisco.com/t5/network-security/crypto-map-address-matching-question/m-p/1254635#M834833 crazyhorse29 2009-06-11T14:37:32Z